[求助]DbgPrint打印UnicodeString竟然蓝屏?
发表于:
2009-3-13 00:31
10086
[求助]DbgPrint打印UnicodeString竟然蓝屏?
一段初学代码,功能是:驱动列举进程,将进程名加入到一个链表中,通过IOCTL传递到应用层中。在虚拟机的纯净Win2000、WinXP和Win2003中运行正常,但如果在这些系统中安装了卡巴斯基,加载驱动正常,应用层和驱动交互时立即蓝屏,偶尔也不蓝屏,但传递出来的进程名却是乱码。WinDbg分析情况如下:
★★★★★★★★★★★★★★★
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {fe1e3e30, 0, 80507bb6, 0}
Could not read faulting driver name
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for safeboxkrnl.sys
Probably caused by : irp3.sys ( irp3!MyDeviceIoControl+b4 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: [COLOR=red]fe1e3e30[/COLOR], memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: [COLOR=red]80507bb6[/COLOR], If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: fe1e3e30
[COLOR=blue]FAULTING_IP: [/COLOR]
[COLOR=blue]nt!_output+909[/COLOR]
[COLOR=blue]80507bb6 668b03 mov ax,word ptr [ebx][/COLOR]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: irp3exe.exe
LAST_CONTROL_TRANSFER: from 804fff32 to 80507bb6
STACK_TEXT:
f282d41c 804fff32 f282d438 f7d8792c f282d6d8 [COLOR=blue]nt!_output+0x909[/COLOR]
f282d458 80500006 f282d494 00000200 f7d8792c nt!_vsnprintf+0x2f
f282d6b0 80500093 80500096 ffffffff 00000000 nt!vDbgPrintExWithPrefix+0x91
f282d6cc f7d87a74 f7d8792c e1ea26b8 e1ea26b0 nt!DbgPrint+0x1a
f282d70c 804e47f7 febf8030 83435cf0 806f12d0 irp3!MyDeviceIoControl+0xb4 [e:\mydriver\irp\3\sys\irp3.c @ 152]
f282d71c 80568f81 83435d60 fecd5028 83435cf0 nt!IopfCallDriver+0x31
f282d730 8057ba9f febf8030 83435cf0 fecd5028 nt!IopSynchronousServiceTail+0x70
f282d7d8 8058ffe3 000007e8 00000000 00000000 nt!IopXxxControlFile+0x611
f282d80c f5b54f98 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
WARNING: Stack unwind information not available. Following frames may be wrong.
f282d854 f59fbb3d 000007e8 00000000 00000000 klif+0x10f98
f282dd30 804df7ec 0012feec 000007e8 00000000 safeboxkrnl+0xab3d
f282dd30 7c92e4f4 0012feec 000007e8 00000000 nt!KiFastCallEntry+0xf8
0012ff1c 00000000 00000000 00000000 00000000 0x7c92e4f4
STACK_COMMAND: kb
[COLOR=blue]FOLLOWUP_IP: [/COLOR]
[COLOR=blue]irp3!MyDeviceIoControl+b4 [e:\mydriver\irp\3\sys\irp3.c @ 152][/COLOR]
[COLOR=blue]f7d87a74 83c40c add esp,0Ch[/COLOR]
FAULTING_SOURCE_CODE:
148: }
149: [COLOR=red]pMyData[/COLOR] = CONTAINING_RECORD(RemoveHeadList(&ProcessListHead),
150: MYPROCESSDATA,
151: myListEntry);
[COLOR=blue]> 152: DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);[/COLOR]
153:
154: RtlInitAnsiString(&asData, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
155: RtlUnicodeStringToAnsiString(&asData, &pMyData->usImageName, TRUE);
156: outData = (PCHAR)asData.Buffer;
157: outDataLen = asData.Length + 1;
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: irp3!MyDeviceIoControl+b4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: irp3
IMAGE_NAME: irp3.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49b52e86
FAILURE_BUCKET_ID: 0x50_irp3!MyDeviceIoControl+b4
BUCKET_ID: 0x50_irp3!MyDeviceIoControl+b4
Followup: MachineOwner
---------
★★★★★★★★★★★★★★★
代码中的
pMyData 被定义成全局变量。
自己分析了一下,好像是DbgPrint最终在调用_output函数时读取
fe1e3e30 时发生错误:
80507bb6 668b03 mov ax,word ptr [ebx] ds:0023:fe1e3e30=????
代码中的
DbgPrint("[Aliwy] %wZ(%.8X)\n", &pMyData->usImageName, pMyData);
如果不用%wZ打印UnicodeString,而只用%.8X打印pMyData指针地址,却又正常。
IRQL一直是在PASSIVE_LEVEL。
请大家点拨一下,下一步应该如何分析?
谢谢!!!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课